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We make an explicit connection between fundamental notions in quantum cryptography and 
quantum error correction. Error-correcting subsystems (and subspaces) for quantum channels are 
the key vehicles for contending with noise in physical implementations of quantum information- 
processing. Private subsystems (and subspaces) for quantum channels play a central role in cryp- 
tographic schemes such as quantum secret sharing and private quantum communication. We show 
that a subsystem is private for a channel precisely when it is correctable for a complementary chan- 
nel. This result is shown to hold even for approximate notions of private and correctable defined in 
terms of the diamond norm for superoperators. 
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In operator quantum error correction, a correctable 
subsystem for a noise map is one upon which the ac- 
tion of the noise can be corrected [l|, Q . Equivalently, it 
is one that merely suffers a unitary change of represen- 
tation and therefore does not decohere at all 0,11]]. A 
private subsystem is the extreme opposite: it is one that 
completely decoheres under the action of the noise in the 
sense that no information about the state of the subsys- 
tem remains at the output of the map [B| . This concept 
is very useful in quantum cryptography. For instance, 
it finds application in the context of private quantum 
communication schemes. If Alice encodes quantum in- 
formation using a secret key that she shares with Bob, 
then Eve's ignorance of this key can be modelled as a 
noisy channel. As an example, suppose Alice and Bob 
share a secret classical key in the form of a random vari- 
able X with distribution p which they use to select a 
unitary from a set {U x } to implement on a system prior 
to transmitting it. Then Eve's description of the system 
is £(p) = J2 x P( x )UxpU?i.. The private subsystems of this 
channel are precisely the subsystems about which Eve 
obtains no information 5, 6, 7]. Another cryptographic 
application is quantum secret sharing Suppose 
a system is mapped by a channel C to n systems, dis- 
tributed among n parties. How can one encode quantum 
information into this system in such a way that any set 
of parties with less than k members can learn nothing 
about it? The answer is that it must be encoded into 
subsystems that are private for the reduction of C to any 
k — 1 or fewer parties. 

Finding the private subsystems for an arbitrary map 
is therefore a problem with significant applications in 
quantum cryptography. It is in fact the counter- 



part of one of the central problems in quantum error 
correction - finding the correctable subsystems for an 
arbitrary noise map. This problem, which encom- 
passes that of finding the error-correcting subspace codes 
[ToL fill [l2l [T3L [lij ] and the decoherence-free subspaces 
and noiseless subsystems [H, [3 [H E H US H3, 
has been the subject of intensive investigations of late 
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almost no work has been done on the private subsystem 
problem. At first glance then, one might expect the 
road to progress to be a long one. However, the dual- 
ity of the two problems provides a shortcut. Indeed, a 
central result of our paper is that the private subsystems 
for a map are simply the correctable subsystems for a 
complementary map, where the notion of complementar- 
ity of maps is the one introduced in [30]. Because it is 
straightforward to obtain the complements of a map, it 
follows that all the techniques and progress on finding 
correctable subsystems can be immediately appropriated 
for the problem of finding private subsystems. 

The implication also holds in the opposite direction: 
the correctable subsystems for a map are the private sub- 
systems for a complementary map. Consequently, results 
from the field of cryptography may also provide novel in- 
sights for error correction. 

This duality between private and correctable in the 
case of subspaces has already been used implicitly in pre- 
vious work, such as [H, [3lj , where results from error cor- 
rection are exploited to derive conclusions for cryptogra- 
phy. Our result is therefore likely to be intuitive to most 
quantum information theorists. Nonetheless, it is a sur- 
prisingly powerful tool. Indeed, many well-known results 
in quantum information (and generalizations thereof) can 
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be derived as simple consequences of it. 

In real-world applications, demanding perfect recov- 
ery or complete decoherence of quantum information is 
too restrictive. We therefore also consider approximate 
notions of error correction and privacy, defined in terms 



of the diamond norm for superoperators [32J, |33j , which 
can be computed algorithmically (34|. We demonstrate 
that if a subsystem is approximately correctable (respec- 
tively private) for a map then it is approximately pri- 
vate (respectively correctable) for a complementary map. 
While an approximate version of the ideal result is not 
unexpected, it is still surprising that simple dimension- 
independent bounds can be derived. To accomplish this, 
we make use of recently developed techniques from [35I ]. 

We now describe preliminary notation and nomencla- 
ture. Given a quantum system S represented on a (finite- 
dimensional) Hilbert space, also denoted by S, we say a 
quantum system B is a subsystem of S if there is a repre- 
sentation of B such that S = (A<g>B)®(A<g)B) ± , where A 
is also a subsystem of S. The subspaces of S can be iden- 
tified with subsystems B for which A is one-dimensional. 
We adopt the convention that A, B are subsystems of 
S, and A',B' are subsystems of S'. We also adopt the 
convention that p denotes a density operator, and tr, r 
denote arbitrary operators. A subscript such as <jb refers 
to the subsystem on which the operator is defined. The 
set of linear operators on S is denoted by £(S). 

Linear maps on £(S), or "superoperators", can be re- 
garded as operators acting on the space £(S) with the 
Hilbert-Schmidt inner product (cr, t) = tr(a^r). We use 
the term channel to mean a trace-preserving completely 
positive linear map £ : £(S) — > £{S r ) between Hilbert 
spaces S and S'. Such maps describe (discrete) time 
evolution of open quantum systems in the Schrodinger 
picture. The composition of two maps will be denoted 
by £ o J- (a) = £(J r (a)). A unitary channel U satisfies 
W oU = UoW = id, where id is the identity map, and is 
implemented by a unitary operator U via 
An isometric channel V satisfies only o V = id and is 
implemented by an isometry V via V(c) = VaV'. Let 
Tab be the map defined by Tab{v) — Pab&Pab where 
Pab is the projector onto the subspace A ® B, and let 
ids be the identity map on £(B). If we arc given maps 
£a, £b on the subsystems, as a notational convenience 
we write £a <£> £b both for the map on £(A ® B) and 
for the natural extension of the map to £{S). Finally, 
the input and output spaces of operators and superoper- 
ators will often be denoted by whether they appear on 
the right or left of a conditional in the subscript, e.g., 
V BC \a-A -> B ® C and £ C \ AB - £{A) ® £{B) -> £{C). 
The absence of a conditional implies equality of input 
and output spaces, e.g. £a-£{A) — > £{A). 

The norm distance || ■ || that we use to quantify the ap- 
proximate cases of the main result is the diamond norm 
for superoperators, originally introduced in the context 
of quantum computing and error correction 32, 33j. It is 



defined by \\£ — TW^ :— sup fe>1 ||idfc ® {£ — J 7 )!^ where 
idfc denotes the identity operation on the complex- valued 
(k x k) matrices, and denotes the superoperator 
1-norm ||£||j := sup^H^ \\£ {a)^ where Hcr^ = tr|er|. 
The diamond norm stabilizes in the sense that this 
supremum is attained for k equal to the dimension of 
the output Hilbert space for the superoperator. (In 
fact, it is the dual of the completely bounded norm, 
||£|L = ||£t|| , [36(] .) Channels £ and T are said to be 
e-close if \\£ — ^"lU < £■ If two channels are e-close, 
then the maximum probability of distinguishing the 
output states of the channels, in an optimization over 
all input states entangled with an ancilla of arbitrary 
dimension, is 1/2 + e/4. This follows from the fact 
that h + \ 1 1 — pjr\\ 1 is the maximum probability of 
discriminating ps — idfc ® £{o~) and p? = idfc ® 
and that the supremum over a in ||£ — ^"lU = 
supfc^! supii^n < x ||idfc (g) £{a) - id fe ® T{o)^ x captures 
the optimization. 

We introduce the term deletion channel for a channel 
that has a 1-dimcnsional output space, that is, for all 
o~b S £{B). T)bi\b(<jb) = tr b{o b) u 'b' for some fixed 
u>b'- Note that the completely depolarizing channel is a 
special case of a deletion channel where u>b' oc Ib>- A 
pure deletion channel is one for which wg> is a pure state. 
The trace is a special case of a pure deletion channel. 

We now define what we mean by private and cor- 
rectable subsystems. 

Definition 1 Given e > 0, we say B is an e-private sub- 
system for £s'\s if there is a channel Ma'\a an d a dele- 
tion channel T>b'\b such that 



\£s'\s°Pab - M a >\a® ^b'I-bL < e - 



(1) 



If Eq. (Qp holds with e = 0, we call B a private subsystem. 

This can be seen as an improved definition of e-private 
relative to the one presented in [7( , because it guarantees 
privacy even if the eavesdropper holds a purification of 
the state. The term "completely" private was used in 
Q to describe private subsystems, but we drop this term 
here for succinctness. In the e = case for which B is a 
subspace, and so dim A = 1, this notion coincides with 
the private quantum channel 0] and private subspace 
[5], 0|- Note that if the definition is satisfied for Ma>\a 
and T>b'\b where the latter is a deletion channel that 
maps all states on B to a mixed state u>b>, then we can 
always define M.' S ,^ A = Ma'\A ®Ub> and a pure deletion 
channel T>q B — trs such that the definition is satisfied. 
Consequently, the definition of a private subsystem could 
equally well specify that £ o Vab be e-close to a channel 
of the form M! 3 ,\ A <g> tr^- 

The use of diamond norms in quantum computing mo- 
tivates the following definition for approximately cor- 
rectable codes. The e = case was introduced in [H, @]. 
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Definition 2 Given e > 0, we say B is an e-correctable 
subsystem for £gng if there is a channel 1Zg\g> an d a 
channel Ma such that 



\fcs\S' °£s'\S 'Pab -Na® < e. 



(2) 



where ids is the identity channel on B. If Eq. holds 
with e = 0, we say that B is a correctable subsystem. 

Finally, we define the notion of a complementary pair 
of channels, which has arisen recently in the analysis of 
channel capacity problems 3(J 37, 38 1 and a continuity 
theorem for the Stinespring dilation 3^, 3^| . 



Definition 3 Let £s>\s an d £g»\g ^e channels on a sys- 
tem S with output spaces S' and S" respectively. Then 
we say £ , £* form a complementary pair if there is an 
isometric channel Vg>g//\g such that 



£s'\s — tr S" ° Vs r S"\S , £, 



S"\S 



trs' o Vs'S"\s- (3) 



The Hilbert space S" (respectively S') is a dilation space 
for £ (respectively £'), and Vgigu\g is an isometric di- 
lation of both. Complementary pairs arise frequently in 
quantum information theory. As a consequence of the 
Stinespring Dilation Theorem (4pj , every channel may be 
seen to arise from an environment Hilbert space E (of 
dimension at most the product of the input and output 
Hilbert space dimensions if the dilation is minimal), a 
pure state on the environment, and a unitary opera- 
tor U on the composite SE in the following sense: £(a) = 
trE(£/(<7® IV'XV'D) ■ Tracing out the system instead yields 
a complementary channel: £$(cr) — tig(li(cr ® IV'XV'I))- 
The corresponding isometric form is £"(<x) = trg(V(a)) , 
where V is implemented by the isometry V\<f>) = U\<p) \ip). 
A simple example is useful in illustrating the concept. 

Lemma 4 The identity channel and the trace channel 
form a complementary pair. 

The proof is straightforward. A dilation space for ids 
need only be one-dimensional, E = C, and an isometric 
dilation V may be chosen to be simply multiplication by 
a phase factor. The complement defined by this dilation 
is simply tig. We now state our main result. 

Theorem 5 Let £ and £* be complementary channels. If 
a subsystem B is e-correctable (respectively e-private) for 
£, then it is 2^/e-private (respectively 2-y/e- correctable) 
for £K The ideal result, obtained by setting e = implies 
that B is a correctable subsystem for £ if and only if B 
is a private subsystem for £K 

The key technical device in the proof is the continuity 
theorem of [III, which we state for completeness. 



Theorem 6 Let £, £':C(X) — > C(Y) be arbitrary quan- 
tum channels, and let V and V' be two corresponding iso- 
metric dilations with a common dilation space Z. Then 

{]£-£% <2min ® U)V - V]^ , (4) 

where the minimum is taken over all unitary U on Z . 
Moreover, if dim Z > 2 dim X dim Y we also have 



min||(/ r StyV-V'Wn < \\£-£'\\ 



(5) 



We note that the continuity theorem has recently been 
extended to completely positive maps between arbitrary 
C*-algebras [3{|. This should allow for the extension 
of the complementarity theorem from finite-dimensional 
matrix algebras to infinite-dimensional ones. 
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FIG. 1: Channels involved in the inference from private to 
correctable in Theorem [5] 

Proof of Theorem [5j It suffices to prove the re- 
sult in the case S = A <g> B. The general case can 
then be obtained by considering the restricted channels 
£ ° Tab and £" o Vab (which are complementary). Let 
Vs : S — > S' <g> S" be the dilation isometry for £ and 
£*. First, suppose B is e-private for £ in the sense of 



Def. [TJ It is then e-close to a channel T := M. 



S'\A ' 



itr B . 



By possibly enlarging the dilation spaces of £ and T , we 
may always assume without loss of generality that these 
spaces are isomorphic to one another and satisfy the di- 
mension bounds of Theorem [5J Eq. (J5]) then guarantees 
the existence of a unitary U-r on the common dilation 
space S" such that 

\\(U n »I S >) Ve-VrWoo < \\£ - ^||o /2 < y/l. (6) 
Define := trs> ° V>. By Eq. (gj, we infer that 
\\U n o £* - T% <2\\{U n ® I S ')V £ 



(7) 



Define A" by S" = A" ® B. Note that by Lemma H 
J 7 " = M\,,\a ® i( fe where M^,,^ ■= tig' ° V M and 
Vm is an isometric dilation of Mgi\A with dilation space 
A". Finally, define A by A" = A ® A, and define 
the channels Ma := tr^o ° M. A „, A and TZ := tr Ao ° U-R. 
Tracing over Ag in the left-hand side of Eq. {7J , noting 
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that the diamond norm is nonincreasing under partial 
trace, and using Eq. ([6]), we obtain 



\Ho£t -Af A ®id B \\o < 2Ve, 



(8) 



which implies that B is 2 -^-correctable for £*. A 

Suppose now that B is e-correctable for £ in the sense 
of Def. [2j so that there exists a channel 1Z such that 
1Z o £ is e-close to a channel Q := Na ® ids. Again, 
we may assume that the dilation spaces of TZ o £ and 
£/ are isomorphic and satisfy the dimension bounds of 
Theorem [5] If we denote the dilation spaces of £ and 
1Z by S" and Sq respectively, then the common dilation 
space of 1Z o £ and is So ® S" . Letting Vg, Vr and 
Vg denote the isometric dilations of £,1Z and G, we infer 
from Eq. ([5]) that there exists a unitary U on So ® 5"' 
such that 

Js-JVf-tlfirSCOV&Hoo < \\TZo£-g\\ 1 / 2 < ^. 

(9) 

Dchnc := tr s o Vg and 1Z^ := tr s o V K . By Eq. g|, 
we infer that 



\\(1Z i ®id s »)oVg-Uogt\\ <> < 2^. 



(10) 



^S S"\A 



By Lemma 01 we have <?" = J^s a s"\A ® trs wriere 
trg o VV and where VV is an isometric dila- 
tion of Ma- Finally, if we define M. $>< \a '■= tr s o -^s S"| J 4' 
and take the trace over So on the left-hand side of 
Eq. (|10p (noting that the diamond norm is nonincreasing 
under partial trace), we find 



tr 



B \\o 



<2^l. 



(11) 



Hence, B is 2-^/e-private for as claimed. 
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FIG. 2: Channels involved in the inference from correctable 
to private in Theorem [5] 

As a simple example for the ideal case, consider a 
two-qubit noise model that induces a phase flip Z\ on 
the first qubit with probability one half. The associated 
channel on C 2 <g> C 2 is £{a) = \{a + Z X (jZ x ). The code 
subspace C with basis {|00),|01)} is a decoherence-free 
subspace for £, in the sense that £(<r) — a for all a 
supported on the code space C. The map £ can be 
obtained by tracing out a single qubit environment E 
as £(a) = tr E (U{(j <g> |0)(0|)C/ t ), where U is the unitary 



U oc 1 2 ® |0)(0| + Zi ® |0)(1| + 1 2 ® |1)(0| - Z x ® |1)(1|. 
Direct computation reveals the complementary 
channel f J (cr) = tx s {U{a (g) |0)(0|)?7 t ), satisfies 
f*(tr) = tr(o-)p x + tr(<rZi)/Ja, where Pl oc |0)(0| + |1)(1| 
and P 2 oc |0)(1| + |1)(0|. Theorem [S] predicts the messen- 
ger space C is a private subspace for £K Indeed, one can 
easily verify that for all a supported on the code space C 
we have £*(o") = tr(er) P, with the projector P = p±+ P 2- 

Quantum secret sharing provides a nice example of 
the utility of the complementarity theorem. A ((fe,n)) 
threshold scheme for quantum secret sharing is a proto- 
col that encodes the quantum state of a system S (the 
quantum secret) into n systems, one held by each party, 
such that k parties or more can recover the secret, while 
k — 1 or fewer cannot gain any information about it 0]. 
Our result demonstrates that one can achieve a scheme 
that approximates the ideal functionality as follows: the 
reduction of the encoding map to any k or more parties 
is e-correctable while to any k — 1 or fewer parties it is 
2-^/e-private. As long as the encoding map is an isometry, 
then by our theorem and the definition of complementary 
maps, if the input space is e-correctible for the reduction 
of the encoding map to any k or more parties, then it is 
2 v / e-private for the reduction to any n — k or fewer par- 
ties. Therefore, as long as k— 1 = n— k, or n = 2k— 1, we 
obtain the desired approximation to ideal functionality. 
This is the generalization of Corollary 9 of Q. Further- 
more, every nonisometric encoding among n parties can 
be understood as some isometric encoding among n' > n 
parties where the extra n' — n shares are discarded. Given 
that n' = 2k — 1, we infer that n < 2k — 1. Therefore, 
the approximation to ideal functionality described above 
is impossible if n > 2k. This is the generalization of 
Theorem 2 of @. 

Our result also finds a simple application in the stan- 
dard paradigm of quantum communication where it is 
presumed that any dilation space for the channel £ link- 
ing Alice to Bob ends up in the hands of an adversary. 
The theorem then implies that any subsystem that is e- 
correctable for Bob is 2y / e-private for the adversary. 
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